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Abstract 

We  propose  a  general  framework  for  the  static  analysis  of  programs 
based  on  Kleene  algebra  with  tests  (KAT).  We  show  how  KAT  can  be 
used  to  statically  verify  compliance  with  safety  policies  specified  by  se¬ 
curity  automata.  We  prove  soundness  and  completeness  over  relational 
interpretations.  We  illustrate  the  method  on  an  example  involving  the 
correctness  of  a  device  driver. 


1  Introduction 

Kleene  algebra  with  tests  (KAT)  is  an  algebraic  system  for  program  specifica¬ 
tion  and  verification  that  combines  Kleene  algebra,  or  the  algebra  of  regular 
expressions,  with  Boolean  algebra.  One  can  model  basic  programming  language 
constructs  such  as  conditionals  and  while  loops,  verification  conditions,  and 
partial  correctness  assertions.  KAT  has  been  applied  successfully  in  substantial 
verification  tasks  involving  communication  protocols,  source-to-source  program 
transformation,  concurrency  control,  compiler  optimization,  and  dataflow  anal¬ 
ysis  [2,  4,  5,  6,  11,  14].  The  system  is  PSPACE- complete  and  deductively 
complete  for  partial  correctness  over  relational  and  trace  models  [12]. 

KAT  has  a  rich  algebraic  theory  with  many  natural  and  useful  models: 
language-theoretic,  relational,  trace-based,  matrix.  Because  of  its  roots  in 
classical  algebra  and  equational  logic,  KAT  provides  a  mathematically  rigor¬ 
ous  foundation  that  subsumes  many  previous  approaches,  recasting  them  in  a 
more  classical  algebraic  framework.  Hoare  logic  and  program  sclrematology  are 
two  examples  of  major  theories  in  computer  science  that  can  be  given  a  more 
classical  treatment  using  KAT. 

In  this  paper,  we  show  how  KAT  provides  a  general  framework  for  the  static 
analysis  of  programs.  We  give  a  general  construction  that  shows  how  to  use 


KAT  to  statically  verify  compliance  with  safety  policies  specified  by  security 
automata.  We  prove  the  soundness  and  completeness  of  the  method  over  rela¬ 
tional  interpretations.  These  results  further  attest  to  the  versatility  of  KAT  as 
a  general  framework  for  many  verification  tasks  in  computer  science. 

Security  automata  are  a  popular  mechanism  for  the  specification  and  en¬ 
forcement  of  a  large  class  of  safety  policies  [16].  A  security  automaton  is  an 
ordinary  finite-state  automaton  in  which  certain  states  are  designated  as  error 
states.  A  transition  to  a  new  state  may  occur  when  a  critical  operation  of  a 
program  is  executed.  Any  computation  of  a  program  containing  a  sequence  of 
critical  operations  that  sends  the  automaton  to  an  error  state  violates  the  policy 
as  specified  by  the  automaton. 

The  following  example  is  from  [16].  Suppose  we  wish  to  specify  that  a 
program  may  not  sent  a  message  out  over  the  network  after  it  has  read  the  disk. 
This  restriction  can  be  specified  by  the  following  automaton. 


send 


read 


start 


l  1 


read 


send 


Here  the  leftmost  state  indicates  that  the  program  has  not  yet  read  the  disk. 
This  is  the  initial  state.  As  long  as  the  automaton  is  in  this  state,  network 
activity  is  permitted.  Any  read  of  the  disk,  however,  causes  a  transition  to 
the  second  state,  which  indicates  that  the  disk  has  been  read.  From  this  state, 
further  disk  reads  are  allowed,  but  the  program  may  not  send  a  message  out 
over  the  net.  Any  attempt  to  do  so  causes  a  transition  to  the  error  state. 

The  automaton  can  be  used  for  runtime  enforcement  of  the  security  policy  as 
well  as  specification.  The  program  code  is  instrumented  to  call  the  automaton 
before  all  critical  operations  (ones  that  could  change  state  of  the  automaton). 
The  automaton  aborts  the  computation  if  the  operation  would  cause  a  transition 
to  an  error  state. 

This  enforcement  mechanism  as  described  in  [16]  is  purely  a  runtime  mech¬ 
anism.  In  this  paper  we  describe  a  general  method  based  on  KAT  for  verifying 
statically  compliance  with  the  policy  as  specified  by  the  security  automaton. 
The  method  uses  the  KAT  rules  to  propagate  state  information  throughout  the 
program  to  all  critical  operations.  If  the  verification  is  successful,  an  indepen¬ 
dently  checkable  proof  object  is  produced  that  can  be  used  to  certify  that  the 
runtime  checks  are  unnecessary.  We  prove  a  soundness  theorem  (Theorem  4.1) 
that  says  that  any  program  verified  in  this  fashion  satisfies  the  policy.  There  is 
also  a  version  with  a  simplified  verification  condition  (Corollary  4.2)  for  when 
the  program  is  known  to  be  total.  We  also  prove  a  completeness  theorem  (The¬ 
orem  5.1)  that  says  that  if  the  propositional  abstraction  of  the  program  fails  to 
verify,  then  there  is  a  relational  interpretation  in  which  the  program  is  unsafe. 
Finally,  we  illustrate  the  method  on  an  example  of  [3]  involving  the  verification 
of  a  device  driver. 
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2  Preliminary  Definitions 

2.1  Kleene  Algebra 

Kleene  algebra  (KA)  is  the  algebra  of  regular  expressions  [9,  7].  The  axiom- 
atization  used  here  is  from  [10].  A  Kleene  algebra  is  an  algebraic  structure 
( K ,  +,  *,  0,  1)  that  is  an  idempotent  semiring  under  +,  •,  0, 1  such  that  p*q  is 

the  <-least  solution  to  q  +  px  <  x  and  qp*  is  the  <-least  solution  to  q  +  xp  <  x. 

•  def  (  ( 

Here  <  refers  to  the  natural  partial  order  on  AT:  p  <  q  •<=>•  p  +  q  =  q.  This  is  a 
universal  Horn  axiomatization. 

The  axioms  for  *  say  essentially  that  *  behaves  like  the  Kleene  asterate 
operator  of  formal  language  theory  or  the  reflexive  transitive  closure  operator 
of  relational  algebra. 

Standard  models  include  the  family  of  regular  sets  over  a  finite  alphabet; 
the  family  of  binary  relations  on  a  set;  and  the  family  ofnxn  matrices  over 
another  Kleene  algebra.  Other  more  unusual  interpretations  include  the  min,+ 
algebra,  also  known  as  the  tropical  semiring ,  used  in  shortest  path  algorithms, 
and  models  consisting  of  convex  polyhedra  used  in  computational  geometry. 

The  completeness  result  of  [10]  says  that  all  true  identities  between  regular 
expressions  interpreted  as  regular  sets  of  strings  are  derivable  from  the  axioms. 
In  other  words,  the  algebra  of  regular  sets  of  strings  over  a  finite  alphabet  P  is 
the  free  Kleene  algebra  on  generators  P.  The  axioms  are  also  complete  for  the 
equational  theory  of  relational  and  trace  models. 

2.2  Kleene  Algebra  with  Tests 

A  Kleene  algebra  with  tests  (KAT)  [11]  is  just  a  Kleene  algebra  with  an  embedded 
Boolean  subalgebra.  That  is,  it  is  a  two-sorted  structure  (A",  B ,  +,  -,  *,  “,  0,  1) 
such  that 

•  (K,  +,  -,  *,  0,  1)  is  a  Kleene  algebra, 

•  (U,  +,  •,  “,  0,  1)  is  a  Boolean  algebra,  and 

•  B  C  AT. 

Elements  of  B  are  called  tests  and  are  denoted  b,c,d,...  .  The  Boolean  com¬ 
plementation  operator  “  is  defined  only  on  tests.  Arbitrary  elements  of  K  are 
denoted  p,q,r, . . .  . 

The  set  of  terms  in  the  language  of  KAT  over  atomic  actions  P  and  atomic 
tests  B  is  denoted  RExpP  B. 

The  while  program  constructs  are  encoded  as  in  propositional  Dynamic 
Logic  [8]: 

def 

p ;  q  =  pq 

if  b  then  p  else  q  c=f  bp  +  bq 
while  b  do  p  c=f  ( bp)*b . 
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The  Hoare  partial  correctness  assertion  {b}  p  {c}  is  expressed  in  KAT  in  any 
one  of  the  following  three  equivalent  forms: 

bp  <  pc  (1) 

bp  =  bpc  (2) 

bpc  =  0.  (3) 

The  proof  of  the  equivalence  of  these  formulas  is  an  elementary  exercise  in  KAT ; 
see  [12].  Because  of  the  form  (3),  all  Hoare-style  rules  of  the  form 

{bi} Pi  {ci}  ...  {bn}pn{cn} 

W  P  M 

are  encoded  as  Horn  formulas  of  the  form 

biPiCi  =  0  bnpncn  =  0  ->•  bpc  =  0. 

Horn  formulas  all  of  whose  premises  are  of  the  form  p  =  0  are  called  Hoare 
formulas,  and  KAT  is  deductively  complete  for  the  Hoare  theory  of  relational 
models  [12];  that  is,  all  relationally  valid  Hoare  formulas  are  theorems  of  KAT. 
This  theory  is  also  decidable  in  PSP  ACE. 

See  [10,  11,  12,  15]  for  a  more  detailed  introduction  to  KA  and  KAT. 

2.3  Trace  and  Relational  Models 

2.3.1  Kripke  Frames 

For  applications  in  program  verification,  one  usually  interprets  programs  and 
tests  over  a  KAT  consisting  of  sets  of  traces  or  binary  relations  on  a  set  of  states. 
Both  these  classes  of  algebras  are  defined  in  terms  of  Kripke  frames.  A  Kripke 
frame  over  a  set  of  atomic  programs  P  and  a  set  of  atomic  tests  B  is  a  structure 
(. K ,  tn?f),  where  K  is  a  set  of  states,  trip  ■  P  — >  2KxK ,  and  m k  :  B  — »  2K .  The 
map  m-A'  specifies  a  canonical  interpretation  of  the  atomic  actions  and  tests. 

2.3.2  Relation  Algebras 

The  set  of  all  binary  relations  on  a  Kripke  frame  K  forms  a  KAT  under  the 
standard  binary  relation-theoretic  interpretation  of  the  KAT  operators.  The  op¬ 
erator  •  is  interpreted  as  relational  composition  o,  +  as  union,  0  and  1  as  the 
empty  relation  and  the  identity  relation  on  K,  respectively,  and  *  as  reflexive 
transitive  closure.  The  Boolean  elements  are  subsets  of  the  identity  relation. 
This  is  called  the  full  relation  algebra  on  K.  One  can  define  a  canonical  inter¬ 
pretation  [  Ik  ■  RExpPS  — >  2KxK  by 

Ip1k  d=  mK(p),  p&P 

[W k  =f  {(u,u)  |  u  e  vciK(b)},  b  G  B, 

extended  homomorphically.  A  binary  relation  is  regular  if  it  is  \_p~\k  for  some 
p  e  RExpp  o.  The  subalgebra  consisting  of  all  regular  binary  relations  on  K  is 
denoted  Relp.  We  write  REL  1=  ip  if  ip  is  true  in  all  Relp. 
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2.3.3  Trace  Algebras 


A  trace  in  a  Kripke  frame  K  is  a  sequence  soPo^i  ■  ■  •  sn-ipn-isni  where  n  >  0, 
Si  G  K ,  pi  G  P,  and  ( Si ,  Sj+i)  G  m*(p,)  for  0  <  i  <  n—  1.  The  set  of  all  traces  in 
K  is  denoted  Traces*;-  We  denote  traces  by  cr,  r, . . .  .  The  first  and  last  states  of 
a  trace  cr  are  denoted  first(cr)  and  last(cr),  respectively.  If  last(cr)  =  first(r), 
we  can  fuse  a  and  r  to  get  the  trace  err.  If  last(cr)  yb  flrst(r),  then  err  does  not 
exist.  The  label  of  the  trace  SoPoSi  •  •  •  sn-ipn-isn  is  the  string  po,  ■  ■  ■  ,pn- 1- 
The  powerset  of  Traces*  forms  a  KAT  in  which  +  is  interpreted  as  set  union, 

•  as  the  operation 

AB  =f  {err  |  a  G  A,  t  G  B,  last  (cr)  =  first  (r)}, 

0  and  1  as  0  and  K,  respectively,  and  A *  as  the  union  of  all  finite  powers  of  A. 
The  Boolean  elements  are  the  subsets  of  A,  the  sets  of  traces  of  length  0.  This 
is  called  the  full  trace  algebra  on  K.  A  canonical  interpretation  [  ]]*  for  KAT 
expressions  over  P  and  B  is  given  by 

I pJk  d=  {spt  |  (s,t)  G  m k(p)},  pG  P 
lbJK  =  m K(b),  b  G  B, 

extended  homomorphically.  A  set  of  traces  is  regular  if  it  is  [p]l*  for  some  KAT 
expression  p.  The  subalgebra  of  all  regular  sets  of  traces  of  K  is  denoted  Tr*. 
We  write  TR  1=  ip  if  ip  is  true  in  all  Tr*. 

If  A  is  a  set  of  traces,  define 

Prefix(A)  ^  {cr  |  3 t  err  G  A} . 

Lemma  2.1  Let  p  be  any  program  expression  and  b  any  test  expression.  Then 

[[&]]*  •  Prefix(  Ip]]*)  =  Prefix(  IbpJx). 

Proof.  For  any  cr  G  Traces*, 

cr  G  OJ*  •  Prefix(  [j;]]*)  o-  cr  G  Prefix(  [p]|*)  and  first (ct)  G  [&]| * 

<^>  3r  err  G  [pH*  and  first(ar)  G  C6]|* 

3r  err  G  Ibplx 
<^>  cr  G  Prefix(  [6p]]*). 


□ 


2.3.4  Canonical  Homomorphisms 

If  K,  L  are  KATs  with  distinguished  canonical  interpretations  I  :  RExpPS  — »•  K 
and  J  :  RExpP  B  — >  L,  a  homomorphism  h  :  K  — ►  L  is  canonical  if  it  commutes 
with  /  and  J.  In  particular,  a  homomorphism  involving  trace  or  relation  algebras 
on  Kripke  frames  over  P ,  B  is  canonical  if  it  commutes  with  [  ]*  and  [  ]*. 

An  example  of  a  canonical  homomorphism  is  the  map  Ext  :  2Tracesjf  — >  2KxK 
defined  by  Ext  :  A  <— >  {(first(cr),  last(cr))  |  cr  G  A}.  As  shown  in  [13,  §3.6],  this 
is  a  KAT  homomorphism,  and  Ext(  [p] I*)  =  [pi*. 
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Lemma  2.2  The  Hoare  theories  of  trace  algebras  and  relation  algebras  coincide. 

Proof.  By  [13,  Lemma  3.1],  every  trace  algebra  is  isomorphic  to  a  relation 
algebra,  so  the  Hoare  theory  of  relation  algebras  is  contained  in  the  Hoare  theory 
of  trace  algebras. 

For  the  other  direction,  suppose  TR  t=r  =  0— >  p  —  q.  (Without  loss  of 
generality,  we  can  restrict  ourselves  to  Hoare  formulas  with  a  single  premise.) 
Let  K  be  an  arbitrary  Kripke  frame.  Let  Ext  :  2TraceSjf  — ►  2A  x  K  be  the  canonical 
homomorphism  described  above.  Note  that  for  A  C  Traces^,  Ext  (A)  =  0  iff 
A  =  0.  Thus 

W]k  =  0  =>  Erlx  =  0  since  [?’]/<-  =  Ext(  Ma)  =  0  iff  [r]| k  =  0 

=>  1.pJk  =  lqlK  since  TR  1=  r  =  0  — >  p  =  q 

=>  [p] k  =  lqlK  since  Ext([p]x)  =  \_p~\k- 

Since  K  was  arbitrary,  we  have  RELI=r  =  0— >  p  =  q.  Thus  the  Hoare  theory 
of  trace  algebras  is  contained  in  the  Hoare  theory  of  relational  algebras.  □ 

2.3.5  Induced  Subframes 

Let  (L,  mi)  be  a  Kripke  frame  and  let  K  be  a  subset  of  L.  The  induced  subframe 
on  K  is  (K.  m#-),  where 


ttia-(6)  m  l(&)  n  K,  be  B , 

(4) 

tn*r(p)  ==  n \L(p)  n  I<2,  p  G  P. 

(5) 

We  say  that  a  binary  relation  R  on  L  preserves  K  if  t,  €  K  whenever  s  €  K  and 
(s,  t)  G  R. 

Lemma  2.3  ([13,  Lemma  5.1])  Let  (if,  mx)  be  an  induced  subframe  of  (L ,  hil) 
such  that  all  atomic  actions  m l{p)  preserve  K . 

(a)  The  map  A  <— >  A  n  Traces^'  for  A  C  Traces^  is  a  canonical  KAT  homo¬ 
morphism  T  Tr  k  ■ 

(b)  The  map  A  i— >  A  fl  K2  for  A  C  L2  is  a  canonical  KAT  homomorphism 
Reli  — >  Rel^- 

2.3.6  Coherence 

Let  K,L  be  Kripke  frames  over  P,  B.  A  function  /  :  K  — >  L  is  said  to  be 
coherent  if 

(i)  (s,  t)  G  ms: (p)  =>  ( f(s),f(t ))  G  mL(p),  p  G  P 

(ii)  s  G  m K(b)  f{s)  G  m L{b),  b  G  B. 


6 


Condition  (i)  implies  that  /  can  be  extended  to  traces.  Define  /  :  Traces*-  — ► 
Traces*  by 


/(S0T0S1  '  '  '  sn-lPn-lsn)  =  f(so)Pof(sl)---f(sn-l)Pn-lf(sn)- 

The  function  /  is  said  to  be  onto  on  traces  if  its  extension  /  :  Traces*-  — >  Traces* 
is  onto. 

For  a  coherent  function  /  :  K  — >  L  and  A  C  Traces*,  define 
f  l{A)  d=  {cr  G  Traces*  |  f(a)  G  A}. 

Lemma  2.4  ([13,  Lemma  5.3])  If  f  :  K  — >  L  is  coherent ,  then  f~1  is  a  KAT 
homomorphism  on  the  full  trace  algebras  of  I\  and  L,  and  its  restriction  to 
the  regular  trace  algebra  Tr *  is  a  canonical  homomorphism  Tr*  — ►  Tr*.  If  in 
addition  f  is  onto  on  traces,  then  /-1  is  one-to-one,  therefore  /_1  :  Tr*  — >  Tr* 
is  a  canonical  isomorphism. 

2.4  Precomputations 

Let  p  G  RExpp  B  be  a  KAT  expression  representing  a  program.  We  define 
by  induction  an  expression  PreComp(p)  G  RExpPS  that  describes  the  set  of 
precomputations  of  p. 

PreComp(p)  =f  1  +  p,  p  an  atomic  action 
PreComp(fo)  =f  1,  b  a  test 
PreComp(p  +  q)  c=f  PreComp(p)  +  PreComp((7) 

PreComp(p<7)  =f  PreComp(p)  +  p  ■  PreComp(g) 

PreComp(p*)  =f  p*  ■  PreComp(p). 

The  expression  PreComp(p)  is  meant  to  capture  the  prefixes  of  computa¬ 
tions  of  the  program  p.  However,  the  set  [PreComp(p)]]*  is  not  the  same  as 
Prefix)  [p]]*),  the  set  of  prefixes  of  traces  in  [pi*  in  a  Kripke  frame  K ,  although 
the  two  sets  are  related.  Note  that  PreComp(p)  depends  on  the  syntactic  ex¬ 
pression  p  and  not  just  on  its  equivalence  class  modulo  the  axioms  of  Kleene 
algebra. 

The  reason  for  the  definition  of  PreComp(p)  as  given  is  to  capture  the  prefixes 
of  nonhalting  computations.  For  example,  the  program  while  true  do  p  trans¬ 
lates  to  the  KAT  expression  (lp)*0,  which  is  equivalent  to  0;  thus  in  any  trace 
algebra,  the  set  of  traces  represented  by  this  expression  is  empty.  However, 
PreComp((lp)*0)  is  equivalent  to  p* ,  which  represents  the  set  of  traces  cor¬ 
responding  to  precomputations  of  the  nonhalting  program  while  true  do  p. 
When  verifying  a  program  p ,  we  will  actually  verify  the  extended  program 
PreComp(p).  This  will  ensure  that  even  if  p  does  not  halt,  the  safety  condi¬ 
tion  will  still  be  satisfied  at  all  points  in  the  computation. 
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The  definition  PreComp(6)  =  1  for  tests  b  is  intentional.  A  test  b  can  modify 
a  computation,  but  only  in  a  position  preceding  another  action.  This  can  be 
seen  in  the  definition  of  PreComp(pg).  The  test  1  is  always  a  prefix  of  a  test  b, 
because  that  is  the  situation  before  b  is  executed.  This  definition  ensures  that 
PreComp(0*)  is  equivalent  to  1,  which  is  as  it  should  be. 

Lemma  2.5  The  following  are  theorems  of  KAT: 

(i)  1  <  PreComp(p) 

(ii)  p  <  PreComp(p) 

(iii)  PreComp(PreComp(p))  =  PreComp(p). 

Proof.  These  properties  can  be  proved  easily  by  induction  on  the  structure 
of  p.  □ 

Lemma  2.5(iii)  says  that  the  operator  PreComp  is  a  closure  operator.  We  also 
have 

Lemma  2.6  In  any  Kripke  frame  K  and  for  any  KAT  expression  p, 

(i)  [PreComp(p)]li<-  is  closed  under  trace  prefix;  that  is, 

Prefix(  [PreComp(p)]lx)  C  |[PreComp(p)]]/^ 

(ii)  Prefix(  IpJk)  Q  EPreComp(p)J/f  • 

Proof.  Property  (i)  follows  by  induction  on  the  structure  of  p.  Property 
(ii)  is  a  consequence  of  (i),  Lemma  2.5(ii),  and  the  monotonicity  of  the  Prefix 
operator.  □ 

3  Security  Automata  and  KAT 

Formally,  a  security  automaton  M  =  ( Q ,  Pcrit,  5 ,  S,  E)  for  a  program  r  over 
atomic  actions  P  and  atomic  tests  B  is  an  ordinary  deterministic  finite  automa¬ 
ton  consisting  of  a  finite  set  of  states  Q,  a  finite  input  alphabet  Pcrit  CP,  a 
deterministic  transition  function  S  :  Q  x  Pcrit  — >  Q,  a  start  state  S  £  Q,  and  a 
set  of  error  states  E  C  Q.  The  elements  of  Pcr;t  are  called  critical  operations. 
These  are  the  atomic  actions  that  can  cause  a  transition  to  another  state  in  M. 
We  denote  elements  of  Q  by  U,V,W, . . .. 

We  can  extend  the  automaton  to  allow  noncritical  operations  by  defining 
5(U,p)  d=  U  for  p  €  P  -  Pent- 

To  capture  the  information  represented  by  states  of  a  security  automaton  in 
KAT,  we  introduce  an  atomic  test  U  corresponding  to  each  state  U  £  Q  and 
premises 


UV  =  0, 

for  U,V  £Q,U  ^  V 

(6) 

Up  <  pV, 

for  p  £  Pcrit,  V  =  6 (U,p) 

(7) 

Up  <  pU, 

for  p  £  P  -  Pcrit . 

(8) 
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Premises  (6)  assert  that  it  is  impossible  to  be  in  two  states  of  M  simultane¬ 
ously.  State  information  is  propagated  forward  through  the  code  by  means  of 
premises  (7)  and  (8).  The  former  says  that  for  critical  operations,  the  state 
changes  according  to  the  transition  function  <5  of  M,  and  the  latter  says  that 
for  noncritical  operations,  the  state  does  not  change. 

Assertions  of  the  form  (7)  and  (8)  have  useful  alternative  forms  given  by  (1)- 
(3).  These  are  various  representations  in  KAT  of  the  Hoare  partial  correctness 
assertion  {U}  p  {V}.  Because  of  the  form  (3),  formulas  with  premises  of  this 
form  are  Hoare  formulas,  therefore  verifiable  in  PSPACE.  The  conjunction  of 
all  premises  (6)-(8)  is  denoted  Am- 

The  following  lemma  is  useful  in  propagating  state  information  in  a  program. 
Lemma  3.1  The  following  are  theorems  of  KAT. 

(i)  If  bp  <  pc  and  dp  <  pe,  then  ( b  +  d)p  <  p(c  +  e). 

(ii)  If  bp  <  pc  and  bq  <  qd,  then  b{p  +  q)  <  (p  +  q)(c  +  d). 

(iii)  Let  B  be  a  set  of  states  of  M,  and  let  B'  be  the  smallest  set  of  states 

containing  B  and  closed  under  p;  that  is,  B'  is  the  smallest  set  of  states 

such  that  B  C  B' ,  and  if  U  G  B' ,  then  5{U,p)  €  B' .  Let  b  =  Jf,  B  and 
b'  =  fT  B' .  Then  Am  — >  bp *  <  p*b' . 

Now  let  (K,  rtiA')  be  a  Kripke  frame  over  alphabets  P  of  atomic  actions  and 
B  of  atomic  tests.  Let  M  =  ( Q ,  Pcr;t,  6 ,  s,  E)  be  a  security  automaton  over  an 
alphabet  Pcrit  C  P  of  critical  actions.  We  can  view  M  as  a  Kripke  frame  over 
atomic  actions  P  and  atomic  tests  Q  by  defining 

m m(p)  =f  {(U,  6(U,p))  |  U  €  Q},  p  e  Pcrit 
mM  (p)  =  {{U,  U)\U  £  Q},  PeP- Pcrit 
m  M(U)  =  {U},  UgQ. 

We  also  use  E  to  denote  the  test  Yle^E  e- 

Let  r  be  a  program,  which  is  just  a  term  of  KAT  over  P,  B.  We  now  define 
what  it  means  for  r  to  be  safe  with  respect  to  the  security  policy  specified  by 

M. 

First  we  form  the  instrumented  frame  K  x  M  over  atomic  actions  P  and 
atomic  tests  B  U  Q  as  follows  (we  assume  that  B  n  Q  =  0).  The  states  of 
K  x  M  are  ordered  pairs  ( u,U ),  where  u  is  a  state  of  K  and  U  is  a  state  of 
M.  For  critical  atomic  operations  p  €  Pcrit,  for  noncritical  atomic  operations 
q  €  P  —  Pcrit ,  for  atomic  tests  b  €  B,  and  for  atomic  tests  U  €  Q,  define 

m kxm(p)  =f  {((u,U),(v,  V))  |  (u,v)  e  m K(p),  (U,V)  €  m M(p)}  (12) 

mA'xM(g)  =  {((u,U),  {v,V))  \  (u,v)  £  mK{q),  U  =  V}  (13) 

m  KxM(b)  =f  {(u,  U)\u€  mK{b),  U  e  Q}  (14) 

m kxm(U)  d=  {(«,  U)  |  u  €  I<}.  (15) 


(9) 

(10) 

(11) 
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In  other  words,  a  critical  transition  p  £  Pcrit  causes  a  transition  in  both  compo¬ 
nents  of  the  product,  and  a  noncritical  transition  causes  a  transition  in  K  but 
not  in  M .  A  state  (u,  U)  of  the  product  satisfies  an  atomic  test  in  B  iff  its  first 
component  does  and  satisfies  an  atomic  test  in  Q  iff  its  second  component  does. 

The  instrumented  frame  K  x  M  is  formal  means  by  which  we  run  a  program 
r  in  K  and  the  security  automaton  M  simultaneously.  The  projection  of  a  trace 
onto  the  sequence  of  first  components  gives  a  trace  in  K,  and  the  projection 
onto  the  sequence  of  second  components  gives  a  corresponding  trace  in  M.  Both 
components  run  according  to  the  same  sequence  of  atomic  actions,  as  ensured 
by  (12)  and  (13). 

A  trace  of  K  x  M  is  erroneous  with  respect  to  M  if  it  contains  an  error 
state  of  M.  Thus  the  non-erroneous  traces  are  represented  by  the  expression 
( E  ■  J2P)*E.  Note  that  this  is  determined  by  the  second  components  of  the 
states  in  the  trace. 

We  say  that  a  program  r  is  safe  in  K  with  respect  to  M  if 

IS  ■  PreComp(r)]xXM  C  l(E  ■  J2  P)*EJKxM-  (16) 

The  left-hand  side  represents  the  set  of  traces  of  the  instrumented  frame  K  x  M 
whose  first  components  give  a  computation  prefix  of  r  in  K  and  whose  second 
components  represent  a  run  of  the  security  automaton  M  starting  in  its  start 
state.  The  inclusion  (16)  states  that  no  such  trace  is  erroneous. 

Note  that  in  any  Kripke  frame  L,  [(A  -  Y2  P)* E1l  is  closed  under  Prefix; 
that  is, 


Prefix([(A- J2P)*E]l)  C  1{E  ■  £  P)*EJL.  (17) 

Let  7Ti  and  7T2  denote  the  projections  from  elements  of  K  x  M  to  their 
first  and  second  components,  respectively.  It  follows  from  (12)— (15)  that  7Ti  is 
coherent  in  the  sense  of  §2.3.6,  ignoring  tests  in  Q.  Similarly,  7t2  is  coherent, 
ignoring  tests  in  B.  Moreover,  7Ti  is  onto  on  traces,  as  shown  in  the  following 
lemma. 

Lemma  3.2  For  every  trace  p  £  Traces^-  and  every  state  U  £  Q,  there  is  a 
trace  r  €  TracesA'xM  such  that  7Ti(t)  =  p  and  flrst(r)  =  (first(p),  U). 

Proof.  For  every  (u,v)  £  mK(p)  and  U  £  Q,  there  is  a  state  V  £  Q,  namely 
S(U,p),  such  that  ((u,  U),  (v,  V))  £  m kxm(p)-  The  result  follows  by  induction 
on  the  length  of  p.  □ 

Lemma  3.3  The  operations  nf1  and  Prefix  commute.  That  is,  for  all  A  C 
Traces^,  7rj"1(Prefix(A))  =  Prefix(7rj"1(A)). 

Proof.  Let  a  £  Traces^xM  and  p  £  Traces^  such  that  7Ti [a)p  exists.  Then 
last(cr)  =  ( u,U )  and  first(p)  =  u  for  some  ( u,U ).  By  Lemma  3.2,  there  is  a 
trace  r  £  Traces kxm  such  that  flrst(r)  =  ( u ,  U)  and  7Ti(r)  =  p.  Thus  or  exists 
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and  7Ti(fT r)  =  7ri(cr)7ri(r)  =  ni(a)p.  From  this  argument  it  follows  that 

a  G  7r^1(Prefix(A))  <G>  7ri(cr)  G  Prefix(A) 

<t=>  3 p  ni(a)p  G  A 

<t=>  3 r  7r1(crr)  €  A 

<t=>  3r  err  G  7rf1(A) 

-t=>  er  G  Prefix^)-1  (A)). 

Since  this  holds  for  arbitrary  a,  the  result  follows.  □ 

A  program  r  over  P,  B  is  called  total  in  K  if  [PreComp(r)]|j<-  C  Prefix(  Erll/c); 
that  is,  if  every  trace  of  PreComp(r)  in  K  is  a  prefix  of  a  trace  of  r  in  K. 

Lemma  3.4  Ifr  is  total  in  K,  then  r  is  total  in  the  instrumented  frame  K  x  M . 

Proof.  Suppose  |[PreComp(r)]]A'  C  Prefix(  IM/c).  Since  7T!  :  TracesKxM  — >• 
Traces^  is  coherent  in  the  sense  of  §2.3.6,  ignoring  tests  in  Q ,  we  have 

[PreComp(r)]licxM  =  7rj"1(  [PreComp(r)]|/i')  by  Lemma  2.4 

C  7rj"1(Prefix(  since  nf1  is  monotone 

=  Prefix(7rf :( [r]lx))  by  Lemma  3.3 

=  Prefix(  C?’]| kxm)  by  Lemma  2.4. 

□ 

4  Soundness 

Theorem  4.1  (Soundness)  Let  T>  be  any  set  of  premises  over  P,  B,  and  let  r 
be  a  program  over  P,B.  If 

A m  — >  ®  — >  S  ■  PreComp(r)  <  (E  -J2  P)*E  (18) 

is  a  theorem  of  KAT,  then  r  is  safe  with  respect  to  M  in  any  Kripke  frame  K 
whose  regular  trace  algebra  Tr^  satisfies  D. 

Proof.  Let  K  be  a  Kripke  frame  whose  regular  trace  algebra  Tr^-  satisfies 
©.  It  suffices  to  show  that  Tr kxm,  the  trace  algebra  of  the  instrumented  frame 
K  x  M,  satisfies  Am  and  ©,  because  then  that  model  must  satisfy  the  right-hand 
side  of  (18),  which  says  exactly  that  (16)  holds. 

For  premises  of  the  form  (6),  by  (11),  the  only  state  of  M  satisfying  the  test 
U  is  the  state  U,  therefore  UJVJm  =  0-  Similarly,  for  premises  of  the  form 
(7)  and  (8),  (9)  and  (10)  ensure  that  UpV  is  the  only  trace  in  UJpJm ,  where 
V  =  S(U,p),  therefore  UJpJu  =  UJpVJm-  Thus  Tr m  satisfies  all  the  equations 
in  Am-  Restricting  attention  to  formulas  over  P,Q  (that  is,  ignoring  tests  in 
B ),  since  tt-2  is  coherent,  by  Lemma  2.4  we  have  a  canonical  homomorphism  irf1 
from  Tr  m  to  TfRxM,  therefore  Tr  kxm  satisfies  all  the  equations  in  Am  as  well. 
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Similarly,  restricting  attention  to  formulas  over  P ,  B  (that  is,  ignoring  tests 
in  Q),  since  7Ti  is  coherent,  by  Lemma  2.4  we  have  a  canonical  homomorphism 
nf1  from  Tr k  to  Tr kxm,  therefore  Tr kxm  satisfies  all  equations  satisfied  by 
Tr^;  in  particular,  it  satisfies  T>.  □ 


In  practice,  this  result  can  be  simplified  when  the  program  is  known  to  be 
total.  This  gives  a  simpler  verification  condition  that  is  easier  to  check,  since 
we  do  not  have  to  deal  with  the  precomputations  of  the  program  explicitly. 


Corollary  4.2  Let  CD  be  any  set  of  premises  over  P ,  B,  and  let  r  be  a  program 
over  P,B.  If 

Sr<(E-Y.P)*E  (1-9) 

is  a  theorem  of  KAT,  then  r  is  safe  with  respect  to  M  in  any  Kripke  frame  K 
whose  regular  trace  algebra  Tr k  satisfies  ©  such  that  r  is  total  in  K . 

Proof.  Let  K  be  a  Kripke  frame  whose  regular  trace  algebra  Tr^-  satisfies  CD 
such  that  r  is  total  in  K.  As  in  the  proof  of  Theorem  4.1,  Tr^XM  satisfies  Am 
and  CD,  so  by  (19)  we  have 

lSrJKxM  C  1(E-J:P)*E1kxm.  (20) 

By  Lemma  3.4,  r  is  total  in  the  instrumented  frame  K  x  M;  that  is, 


Then 


[PreComp(r)]|/-s:xM  C  Prefix(  ItIk-km)- 


(21) 


[.S'  ■  PreComp(?’)]xxM 
=  LSI  KxM  •  [PreComp(r)]lA'xM 
C  ISJkxm  ■  Prefix([r]A:xM)  by 
=  Pref\x(lSrJKxM)  by 

C  Prefix(  l(E  ■  £  P)*E]Kxm)  by 
C  1(E-J2P)*EJkxm  by 


(21)  and  monotonicity  of  composition 
Lemma  2.1 

(20)  and  nronotonicity  of  Prefix 
(17). 


This  inclusion  is  just  (16),  which  was  to  be  shown. 


□ 


5  Completeness 

In  this  section  we  prove  the  converse  of  Theorem  4.1:  if  the  program  r  fails 
to  verify,  then  there  is  a  relational  interpretation  of  r  in  which  the  program  is 
unsafe.  This  is  a  kind  of  weak  completeness  theorem.  It  is  weak  in  the  sense  that 
in  real  applications,  we  are  typically  interested  in  a  particular  interpretation, 
and  the  theorem  does  not  say  that  that  if  r  fails  to  verify,  then  r  is  unsafe  in  the 
interpretation  of  interest.  However,  it  does  show  that  the  method  is  as  powerful 
as  it  can  be  up  to  the  level  of  expression  represented  by  propositional  Horn  logic. 
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Of  course,  the  completeness  theorem  can  be  made  arbitrarily  strong  subject 
to  this  restriction  by  choosing  a  sufficiently  large  set  of  premises  T>.  The  larger 
T>,  the  fewer  models  are  available  as  counterexamples.  Normally  the  style  of 
reasoning  in  KAT  is  to  use  the  specific  properties  of  the  interpretation  of  interest 
only  to  establish  the  validity  of  the  premises  D,  thereafter  reasoning  purely 
propositionally  under  those  assumptions.  This  result  fits  well  with  that  view 
in  that  it  characterizes  the  strength  of  the  deduction  system  when  it  is  used  in 
this  way. 

For  completeness,  we  must  also  make  the  added  assumption  that  the  premises 
in  D  are  of  the  form  p  =  0  and  that  D  is  finite.  This  allows  us  to  exploit  the 
completeness  result  for  Hoare  formulas  over  relational  and  trace  models.  This 
is  not  a  strong  restriction,  since  most  premises  that  arise  in  practice,  including 
all  Hoare-style  partial  correctness  assertions,  are  of  this  form. 

Theorem  5.1  (Completeness)  LetV  be  any  finite  set  of  premises  of  the  form 
p  =  0  over  P,  B ,  and  let  r  be  a  program  over  P,B.  If  r  is  safe  with  respect  to 
M  in  all  Kripke  frames  K  whose  trace  algebra  Trx  satisfies  D,  then  (18)  is  a 
theorem  of  KAT. 

Proof.  We  prove  the  contrapositive.  Suppose  (18)  is  not  a  theorem  of  KAT. 
Since  KAT  is  complete  for  the  Hoare  theory  of  relation  algebras  [12,  Theorem 
4.1],  and  since  this  theory  coincides  with  the  Hoare  theory  of  trace  algebras 
(Lemma  2.2),  there  exists  a  trace  algebra  Trx  in  which  (18)  is  not  satisfied. 
Here  K  is  a  Kripke  frame  over  atomic  actions  P  and  atomic  tests  BllQ,  where 
as  in  the  previous  section  we  are  assuming  B  D  Q  =  0 .  Then  Trx  satisfies  Am 
and  D,  but  there  exists  a  trace  a  of  I\  such  that 

<x€  IS-  PreComp(r)ljf  -  l(E  ■  P)*EJK. 

Let 

/  ,  def  f  U,  if  UGIU1k,UGQ, 

g(u)  =  < 

I  undefined,  otherwise. 

If  g(u)  exists,  then  it  is  unique,  since  Tr k  satisfies  the  premises  (6).  (One  could 
guarantee  the  existence  of  g(u)  by  including  the  premise  Q  =  1  in  Am',  but 
this  is  not  necessary  for  the  result.)  Let  K'  be  the  induced  subframe  of  K  on  the 
set  of  states  {u  €  I\  \  g(u)  exists}.  Since  Trx  satisfies  (7)  and  (8),  the  states  of 
K'  are  closed  under  the  actions  of  P;  that  is,  if  g(u)  exists  and  (u,v)  €  m k(p), 
then  g(v)  exists.  Since  a  €  [S'  •  PreComp(r)]lA',  we  have  first (cr)  €  [Six, 
therefore  g (first (<r))  =  S  and  cr  €  Traces^'-  By  Lemma  2.3(a), 


IS  ■  PreComp(r)]lx  O  Traces^'  =  [S  •  PreComp(r)]lx' 
l(E  ■  £  P)*EJk  O  Traces^  =  [(£•£  P)*EJk-, 

therefore 

ere  IS-  PreComp(r)]lx'  -  l(E  ■  £  P)*E\k>  ■ 
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Now  let  K"  be  the  Kripke  frame  over  P ,  B  obtained  from  K'  by  ignoring  the 
interpretations  of  the  tests  Q.  That  is,  m k"(p)  =  m K’{p )  and  m K"(b)  =  m K'(b) 
for  p  G  P  and  b  G  B,  and  m k"(U)  is  undehned  for  U  G  Q.  Let  K"  x  M  be  the 
instrumented  frame.  Let  /  :  K'  — >  K"  x  M  be  the  map  f(u)  =  (u,g(u)).  It 
follows  easily  from  the  definitions  (12)-(15)  that  the  map  /  is  coherent  in  the 
sense  of  §2.3.6.  By  Lemma  2.4,  for  any  q,  l_q~lK'  =  therefore 

cr  G  IS  ■  PreComp(r)]]^  -  l(E  ■  ^  P)*E\k> 

=  f~\lS  ■  PreComp(r)]Jc"xM)  -  /_1(  l(E  ■  E  PYEJk-xm) 

=  rYlS  ■  PreComp {r)1K»xM  ~  l(E  ■  E P)*E1k"xm), 

or  in  other  words, 

/(ct)  G  IS  ■  PreComp {r)lK»xM  -  1{E  ■  E  P)*EJ \K»xM- 

Thus  r  is  not  safe  in  K"  with  respect  to  M. 

It  remains  to  argue  that  Txk"  satisfies  CD.  But  Tr k"  satisfies  any  equation 
over  P,B  satisfied  by  Tr^,  since  the  map  [p] \k  i— 5-  [pHic'  is  a  homomorphism 
Tr k  Tr k1  by  Lemma  2.3(a),  and  I pJx>  =  l pJk"  for  any  p  over  P,B  by 
definition.  □ 


6  An  Example 

The  following  example  is  from  [3].  It  is  a  code  fragment  from  a  device  driver 
consisting  of  a  loop  that  alternately  acquires  and  releases  a  lock  on  a  resource. 

do  -[ 

KeAcquireSpinLockO ; 
nPacketsDld  =  nPackets; 
if  (request)  { 

request  =  request->Next ; 

KeReleaseSpinLockO  ; 
nPackets++ ; 

> 

}  while  (nPackets  !=  nPacketsOld) ; 

KeReleaseSpinLockO  ; 

If  the  driver  currently  holds  the  lock  and  attempts  to  reacquire  it,  or  if  the 
driver  does  not  currently  hold  the  lock  and  attempts  to  release  it,  the  driver 
will  hang.  Hence  a  precondition  for  safe  execution  of  any  acquire  (respectively, 
release)  operation  is  that  the  driver  does  not  (respectively,  does)  currently  hold 
the  lock.  The  correct  behavior  is  specified  by  the  following  automaton. 
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acquire 


The  start  state  is  the  unlocked  state. 
Using  the  propositional  abbreviations 


kA 

KeAcquireSpinLockO 

kR 

KeReleaseSpinLockO 

n 

nPacketsOld  =  nPackets 

u 

request  =  request->Next 

m 

nPackets++ 

R 

request 

B 

nPackets  ==  nPacketsOld 

and  the  KAT  encoding  of  the  control  structures 

do  p  while  C 

=  p;  (' C;p)*;C 

if  C  then  p 

=  C;p  +  C , 

the  program  above  becomes 

kA;  n;  ( R ;  u;  kR ;  m  +  R);  (B;  kA;  n;  ( R ;  it;  kR;  m  +  /?,))*;  fci?  (22) 

Let  A  be  a  new  test  representing  the  assertion  that  the  driver  is  in  the  locked 
state.  The  precondition  for  safe  execution  of  kA  (acquire)  is  A  (unlocked),  and 
the  precondition  for  safe  execution  of  kR  (release)  is  A  (locked).  In  addition, 
the  resource  is  initially  unlocked,  so  A  is  a  global  precondition. 

To  specify  the  correctness  conditions,  we  can  annotate  the  program  above 
by  inserting  before  every  occurrence  of  a  critical  operation  kA  or  kR  its  precon¬ 
dition  for  safe  execution.  This  gives  the  annotated  program 

A;  kA;  n;  (R;  u;  A;  kR;  m  +  R);  ( B ;  A;  kA;  n;  {R;  u;  A;  kR;  m  +  R))*;  B;  A;  kR. 

(23) 

The  program  is  otherwise  identical  to  (22). 

To  argue  that  the  program  is  safe,  we  wish  to  show  that  the  unannotated 
program  (22)  and  the  annotated  program  (23)  are  equivalent.  This  would  say 
that  the  precondition  for  safe  execution  of  any  critical  operation  is  guaranteed 
to  hold  immediately  before  that  operation,  so  that  transition  to  the  error  state 
is  impossible.  These  preconditions  become  true  in  the  first  place  by  executing 
other  operations  at  other  points  in  the  program.  For  example,  execution  of  a 
kA  (acquire)  operation  acquires  the  lock,  therefore  causes  A  to  become  true 
immediately  afterward.  This  assumption  takes  the  form  of  a  premise  kA  = 
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kA;  A.  Other  operations  such  as  n  or  u  that  do  not  affect  the  truth  value  of 
A  commute  with  it,  giving  rise  to  commutativity  conditions  A;  n  =  n;  A  and 
A;u  =  u;  A.  For  this  particular  task,  we  postulate  the  following  premises. 


kA  =  kA ;  A 

(24) 

kR  =  kR;  A 

(25) 

B;m  =  B;m;B 

(26) 

n  =  n;  B 

(27) 

A;n  =  n;  A 

(28) 

A;u  =  u;A 

(29) 

A;  m  =  to;  A 

(30) 

B;u  =  u;  B 

(31) 

B ;  kR  =  kR ;  B 

(32) 

These  conditions  have  the  following  meanings.  Condition  (24)  says  that  acquir¬ 
ing  the  lock  acquires  it.  Condition  (25)  says  that  releasing  the  lock  releases  it. 
Condition  (26)  says  that  if  two  integer  variables  are  equal  and  we  increment 
one,  then  they  are  no  longer  equal.  Condition  (27)  says  that  assigning  the  value 
of  one  variable  to  another  makes  them  equal.  Conditions  (28)-(32)  are  commu¬ 
tativity  conditions.  They  say  that  the  execution  of  the  specified  atomic  action 
does  not  affect  the  truth  of  the  specified  test.  All  these  premises  are  self-evident 
and  follow  from  basic  properties  of  the  domain  of  computation. 

Let  £  be  the  conjunction  of  (24)-(32).  These  are  our  premises.  To  show 
that  the  program  is  safe,  we  wish  to  prove  in  KAT  that  the  Horn  formula 

£  — >  A;p  <  A;  q  (33) 

holds,  where  p  and  q  are  the  unannotated  and  annotated  programs  (22)  and 
(23),  respectively.  The  prefix  A  in  both  programs  is  the  global  precondition 
that  states  that  initially  the  driver  does  not  have  the  lock.  This  annotation 
is  necessary,  because  the  first  critical  operation  performed  by  the  driver  is  an 
acquire  operation  kA. 

The  formula  (33)  has  been  formally  verified  using  the  KAT-ML  theorem 
prover  [1]. 


7  Future  Work 

The  structure  of  security  automata  can  be  generalized  to  handle  other  types 
of  static  analysis.  For  example,  let  L  be  an  upper  semilattice  such  that  all 
ascending  chains  are  finite.  This  is  called  the  ascending  chain  condition  (ACC). 
Elements  are  called  types  or  abstract  values.  Associated  with  each  atomic  action 
p  is  a  strict,  partial,  finitely  additive  map  fp:L-^L  called  its  transfer  function. 
The  propagation  of  type  information  can  be  coded  in  KAT  by  premises  Xp  < 
pfp(X).  The  ACC  needed  for  *.  It  seems  clear  Java  bytecode  verification  can 
be  handled  in  this  way.  We  leave  this  question  for  future  investigation. 
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